This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] pt_chown: Clear any signal mask inherited from the parent process.

From: Geoffrey Thomas <geofft at ldpreload dot com>
To: libc-alpha at sourceware dot org
Date: Tue, 19 May 2015 01:50:58 -0400 (EDT)
Subject: Re: [PATCH] pt_chown: Clear any signal mask inherited from the parent process.
Authentication-results: sourceware.org; auth=none
References: <alpine dot DEB dot 2 dot 10 dot 1505171554020 dot 13977 at cactuar dot ldpreload dot com> <20150518022332 dot GI12010 at vapier> <alpine dot DEB dot 2 dot 10 dot 1505181747030 dot 13977 at cactuar dot ldpreload dot com> <20150519032813 dot GB20745 at vapier>

On Mon, 18 May 2015, Mike Frysinger wrote:

also, the code needs to be audited to make sure that sending arbitrary signals
can't be abused to make it skip security checks or leave things in a bad state.
rather than unmask all, it might want to unmask one and make sure that one
results in its immediate death.


Signal handlers get reset on exec, so the only thing a signal can do is
immediately kill the process, suspend it, or do nothing, all of which are
fine. The worst thing you can do is kill it between chown and chmod, but
if pt_chown exits successfully, the unprivileged user owns the tty anyway
and can chmod it however they like.


that doesn't mean the code is written to assume the user can send it arbitrary
signals like either kill it at the wrong place or STOP/CONT that can interrupt
some system calls.

I'm not sure I follow. It's _already_ true that the user can send pt_chownarbitrary signals, since it does not do anything to either mask or unmasksignals. If there's some such vulnerability in pt_chown, I can alreadysend it SIGINT, SIGTSTP, SIGQUIT, or SIGHUP by running it in a terminal,or SIGALRM by calling alarm() before execve(), or SIGKILL by setting a CPUlimit, or lots of other things.

The only thing this patch does is make the execution environmentconsistent, regardless of what the signal mask is of the thread callinggrantpt(). (It's also possible to put this code in the implementation ofgrantpt(), but fixing it post-exec is more strightforward, since you don'thave to worry about signal handlers.) If being able to signal pt_chown isa problem, it's _already_ a problem, and it's not made worse by thispatch.

If you're worried that pt_chown is not robust to being sent signals, thenit should explicitly mask or ignore signals while it's running; I'm happyto send in a patch to do that. Or we could just get rid of it as yousuggested, which would also be totally fine with me.


--
Geoffrey Thomas
https://ldpreload.com
geofft@ldpreload.com

References:
- [PATCH] pt_chown: Clear any signal mask inherited from the parent process.
  - From: Geoffrey Thomas
- Re: [PATCH] pt_chown: Clear any signal mask inherited from the parent process.
  - From: Mike Frysinger
- Re: [PATCH] pt_chown: Clear any signal mask inherited from the parent process.
  - From: Geoffrey Thomas
- Re: [PATCH] pt_chown: Clear any signal mask inherited from the parent process.
  - From: Mike Frysinger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]